Spring 与 BlazeDS 全局方法安全性不起作用
我正在使用 BlazeDS 和 Spring Security,并在我的 web.xml 和 application-context.xml 中使用 Spring Security 过滤器链和 Dispatcher Servlet 设置了我的应用程序,我设置了以下内容...
<s:http
auto-config="true"
access-decision-manager-ref="accessDecisionManager"/>
<s:authentication-manager>
<s:authentication-provider
user-service-ref="userService"/>
</s:authentication-manager>
<f:message-broker>
<f:secured/>
</f:message-broker>
<s:global-method-security
access-decision-manager-ref="accessDecisionManager">
<s:protect-pointcut
expression="execution(* com.my.app.Server.*(..))"
access="ROLE_USER"/>
</s:global-method-security>
这通常有效。 Spring 消息代理正确地允许我访问我的 java Server 类,并且“安全”标签起作用并允许我使用自定义身份验证管理器(通过 userService)登录到通道集。我可以在服务器类上调用远程方法,没有问题。
但是,我根本无法使全局方法安全性发挥作用。无论我使用哪个访问角色,我都无法让 Spring 调用我的 accessDecisionManager,甚至无法拒绝对 Server 类上的方法的访问。 有人知道我如何让它工作吗?
顺便说一句,我的 Server 类不是 Spring bean 或类似的东西,它只是一个标准 Java 类,将在标准 Flex 远程处理中使用。这会有所不同吗?
我正在使用 Spring Security 3 和 Flex 4.5
I am using BlazeDS and Spring Security and have set up my application using a Spring Security filter chain and Dispatcher Servlet in my web.xml and in my application-context.xml I have set up the following...
<s:http
auto-config="true"
access-decision-manager-ref="accessDecisionManager"/>
<s:authentication-manager>
<s:authentication-provider
user-service-ref="userService"/>
</s:authentication-manager>
<f:message-broker>
<f:secured/>
</f:message-broker>
<s:global-method-security
access-decision-manager-ref="accessDecisionManager">
<s:protect-pointcut
expression="execution(* com.my.app.Server.*(..))"
access="ROLE_USER"/>
</s:global-method-security>
This generally works. The Spring message broker correctly allows me to access my java Server class and the 'secured' tag works and allows me to log into the channel set using my custom authentication manager (via userService). I can call remote methods on the Server class no problem.
However, I cannot get the global method security to work at all. I cannot get Spring to invoke my accessDecisionManager, or even to deny access to methods on the Server class, no matter which access role I use. Does anybody know how I can get this to work?
Incidentally, my Server class is not a Spring bean or anything like that, it is just a standard Java class as would be used in standard Flex remoting. Would this make a difference?
I'm using Spring Security 3 and Flex 4.5
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
切点和切面仅适用于 Spring bean,如果它是普通的 java 对象,则 spring 无法拦截任何方法调用,因为它没有被代理。请为您的服务器类创建一个 spring bean,它应该可以正常工作。
创建 Spring bean 后,您可以使用 flex:remoting-destination 通过 blaze DS 公开该 bean
Point cuts and aspects only works for Spring beans, if it is plain java object spring cannot intercept any method calls as it is not proxied. Please create a spring bean for your server class and it should be working fine.
Once you created the spring bean you can expose the bean through blaze DS using flex:remoting-destination